Getting Data In

mvcombine ignores specified delimiter

Path Finder

We're indexing /var/log/secure, as one does, and I have a request to list users who've logged in in a comma-delimted list per host. I'm using the Splunk search

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats values(user) as "user" by host |  mvcombine delim="," user

This works great, but for some reason the results are not honoring the delim="," and so they're coming out as space-delimited instead. A minor annoyance, but pointers for getting this to do exactly as I want would be great.

0 Karma


This guy has the right answer here:

In short, your search needs to move the delim parameter to your stats command, like this.

source=/var/log/secure "pam_unix(sshd:session): session opened" | stats delim="," values(user) as "user" by host | mvcombine user


In this case, @peter7431's answer is probably the best answer. There are times when you aren't using stats to get the multi-value field so I wanted to follow-up with why it didn't work and two ways to make it work.

Why didn't it work?

mvcombine takes fields from different events and combines them. For example:

| gentimes start=-1 
| eval foo="cat;bear;monkey;horse;dog" 
| fields foo | eval foo=split(foo,";")
|  mvexpand foo

Then if we try mvcombine and use nomv, you can see the effect of the delim argument:

| mvcombine delim="DelimsROCK" foo
|  nomv foo

Other than the stats command, how can we make it work?

Option 1: Utilize mvexpand and nomv

The most obvious solution can be seen in my above example where I use mvexpand foo and nomv foo:
source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host
| mvexpand user
| mvcombine delim="," user
| nomv user

Note: There are two additions mvexpand and nomv

Option 2 (preferred): Use the mvjoin

source=/var/log/secure "pam_unix(sshd:session): session opened"
| stats values(user) as "user" by host 
| eval user=mvjoin(user,",")
0 Karma

Path Finder

I want a table like so:

host 1 user1,user4,user8,user13
host2 user1,user2,user9,user11,user101
host3 user2,user4,user10

What I'm getting now is:

host 1 user1 user4 user8 user13
host2 user1 user2 user9 user11 user101
host3 user2 user4 user10

0 Karma

Splunk Employee
Splunk Employee

What are you trying to do with mvcombine here? It looks like your stats command is requesting a multivalue field for user, but then you're trying to combine it. mvcombine works on multiple events, with single-value fields.

What do you want as your ultimate table?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!